Researchers from cybersecurity firm ESET found that a recent cyber espionage campaign using the open-source malware XploitSPY targeted Android users in India and Pakistan.
The campaign, which ESET named ‘eXotic Visit,’ was active between November 2021 and the end of 2023.
ESET researchers observed around 380 victims of the campaign.
Although they were unable to attribute the campaign to a known adversary, ESET researchers referred to the threat actors as ‘Virtual Invaders.’
Decoding eXotic Visit
How Victims Get Compromised with XploitSPY
To lure their victims into downloading the XploitSPY malware, Virtual Invaders bundled it together with mobile applications, primarily messaging apps.
Most of these apps are fake but functioning messaging apps. The threat actors behind the campaign started providing these malicious apps on dedicated websites before offering some on the Google Play Store as well.
XploitSPY is a Remote Access Trojan (RAT) that was uploaded to GitHub as early as April 2020 by a user named RaoMK, who was allegedly associated with an Indian cyber security solutions company called XploitWizer.
XploitSPY is based on L3MON, a now-defunct open-source Android RAT inspired by AhMyth.
XploitSPY’s Espionage Capabilities
Once a victim has installed a compromised app, the XploitSPY payload inside can extract various types of data, such as:
- Contact lists and files
- Call logs
- A list of installed apps
- A list of surrounding Wi-Fi networks
- The device’s GPS location
- The names of files listed in specific directories related to the camera, downloads, and various messaging apps such as Telegram and WhatsApp
XploitSPY also allows the threat actors to perform malicious actions on the victim’s phone. These include:
- Sending SMS messages
- Taking pictures using the camera
- Recording audio from the device’s surroundings
- Intercepting notifications received for WhatsApp, Signal and any other notification that contains the string ‘new messages’
If specific filenames are identified as being of interest, they can subsequently be extracted from these directories via an additional command from ngrok, Virtual Invaders’ command and control (C2) server.
“Interestingly, the implementation of the chat functionality integrated with XploitSPY is unique; we strongly believe that this chat function was developed by the Virtual Invaders group,” the researchers explained.
An Evolving Campaign
The malware also uses a native library, whose purpose is not to improve performance and access system features, as is often the case in Android app development, but to hide sensitive information, like the addresses of the C2 servers, making it harder for security tools to analyze the app.
The campaign has evolved over the years to include obfuscation, emulator detection and hiding of C2 addresses.
A Long List of Malicious Apps
Apps Previously Associated with XploitSPY
One of the malicious apps used in the eXotic Visit campaign, called WeTalk, was discovered by MalwareHunterTeam in January 2022.
“The website provided a link to a GitHub project to download a malicious Android app. Based on the date available on GitHub, the ‘wetalk.apk’ app was uploaded in December 2021,” added the ESET researchers.
Other apps associated with the XploitSPY malware in the past include:
- ChitChat
- LearnSindhi
- SafeChat
- PrivateChat
- PersonalMessenger
- TalkUChat
- Photo Collage Grid & Pic Maker
- Alpha Chat
- Dink Messenger
ESET’s Revelations
In its report, ESET revealed the names of three other malicious apps containing XploitSPY that were available on Google Play, Zaangi Chat, Wicker Messenger and Expense Tracker, as well as seven other apps that threat actors tried to upload to Google’s online app store.
As a Google App Defense Alliance partner, ESET reported the ten additional malicious apps to Google, which removed them from its store.
“Because of the targeted nature of the campaign, the number of installs of each app from Google Play is relatively low – between zero and 45,” wrote the researchers.